Marian, as far as I understand (educated guess!), the 'server_name' is sent during TLS handshake, but after server & client have agreed to a TLS version. Hence, I would expect, that a client which prefers TLS 1.2 will never see 'second.server.on.my.domain'. Which may exactly be what you want. However, the order in which the 'VirtualHost's are initialized does matter. So I would suggest, putting the 1.3 only server as the first in your config. I would also suggest, to set 'SSLProtocol -all +TLSv1.2 +TLSv1.3' in the SSL module's config and after that, deny it in 'second.server.on.my.domain' with 'SSLProtocol -TLSv1.2'. Have a look at 'SSLCipherSuite' and 'SSLHonorCipherOrder', may be you need to change the order here.
Am 16.10.19 um 09:17 schrieb Marian Ion: > According to > <https://cwiki.apache.org/confluence/display/HTTPD/NameBasedSSLVHostsWithSNI> > "With SNI, you can have many virtual hosts sharing the same IP address > and port, and each one can have its own unique certificate (and the rest > of the configuration)." > > So, using Apache 2.4.41 on a Debian Buster with OpenSSL/1.1.1d I have > - in ssl.conf: SSLStrictSNIVHostCheck On > - in virtual hosts files I have something like > <VirtualHost *:443> > ServerName first.server.on.my.domain > SSLProtocol -all +TLSv1.2 +TLSv1.3 > </virtualHost> > > <VirtualHost *:443> > ServerName second.server.on.my.domain > SSLProtocol -all +TLSv1.3 > </virtualHost> > > For both I use wildcard certificates for *server.on.my.domain; what I > would like is to have the second server responding to TLS 1.3 only - > however, it seems that the configuration of the first virtual host prevails! > > Is it possible to do what I am looking for? if yes, what am I doing wrong? > > Marian Ion Martin
signature.asc
Description: OpenPGP digital signature
